Hacked WP Files, Trackbacks, and Questions

  • Hey there,

    Just a few comments/questions and a little quick background:

    On Christmas Eve, somebody actually hacked my WP site. No, it wasn’t a security hole in WP which did it but my own stupid operator error. I had left some WP-Content directories 777 writable so that I could edit files on the fly and also upload pictures. Well, somebody went in there and wrote their own code in my template files and also added files such as a commands.php file and the like so that they could probably spam or track things from my site.

    Stupidly, they fucked up and broke my template, which led me to track down the problem and discover what they had done. They had installed files in every single images directory (all 777) and in my theme directory (also 777). Thankfully, it wasn’t in there for long and I managed to go in there, erase all their code and lock down my site (back to 755).

    I don’t know if this has happened to you, but if it has, I’d love to hear about it sometime.

    My question to podz and others (fortune and blessings be upon them for their tireless work) are the following:

    1) How can I avoid this in the future? Aside from keeping everything in 755 permissions, is there any way at all? I can’t think of one.

    2) If not, isn’t having a directory (such as wp-content) at 777 a huge security risk? And if it means I have to chmod back to 777 from 755 every time I want to upload a picture, doesn’t that get a tad counterproductive?

    3) I’m using ecto to blog from my mac mostly. I happen to like being able to just drag-drop and upload pictures. If it isn’t 777, I can’t do that. Any suggestions on keeping my site safe and still able to blog to it easily enough? Again: I can’t think of anything. BTW, I realize that this really has nothing to do with WP coding because it’s the way the permissions work, and I am not blaming anyone for this. I’m just trying to find out if anyone has thought of some solutions/advice/tips?

    4) Trackbacks work in ecto with WP now – on some sites and not on some others. I tried it this morning and it worked fine for 2 sites. 2 others gave me problems. Might that just be a problem with their site/system? I’m not sure. I’m happy that trackbacks do finally work again with outside clients with WP now, however, and I would like to thank the people who fixed that. At least as far as it works right now. ?? Good job and thank you very much.

    5) I’d also like to say that my site was upgraded with no fuss and no muss just by following the directions. All of the plugins still worked except for the tiger admin CSS, but I simply downloaded the updated beta version and now that works fine. It just goes to show what an awesome job was done on the 2.0 version and how simple and great the instructions were. Thanks to everyone who contributed to that.

    That’s all. Hopefully some people have some tips/insight/advice on security with what I mentioned above. Other than that, I haven’t had any problems with WP in general. I’d love to hear feedback to my questions, and if I find anything which needs fixing, I’ll try to post it here.

    Once again, thank you guys for everything. Wonderful job and wonderful product.

Viewing 3 replies - 1 through 3 (of 3 total)

  • 1 and 2.
    777 is always going to be a risk, but having a directory whose name is known anywhere that is 777 would seem to me to be not the wisest of moves. Aside from themes / plugins, I store images and files elsewhere – never in wp-content.

    You can avoid it in two ways:
    – change the permissions as and when you need to. This is tedious, takes time and will probably not happen because it’s tedious, takes time …
    – get your host to improve things. After all, that’s in everyone’s interests, not just yours. As an example, my host has directories at 755 and files at 644 – and I can edit and upload without changing anything. No doubt someone will say that such a thing still has risks, but I take the view that all you need to do is make your blog / website that little bit tougher and the idiots will move to other places to hack.

    3. If you can, create a directory with a name that suits you, chmod it to 777 and use that. That makes it harder to find … not great but slightly better.

    and 6 – backup nightly ??

    Check with your hosting provider about what can be done to restrict access. 777 is, obviously, not ideal; but many hosting providers are not set up to provide anything better. If you host can’t — or won’t — help you, consider shopping for a new host.

    Thread Starter banagor

    (@banagor)

    Thanks. It’s what I figured.

    A little clarification: I don’t keep my pictures etc in wp-content. I have another folder which is 777 (or was) to store them in. I organize them by month so it makes it easier. I’m organized. ??

    But they managed to find it anyway. Obviously all you have to do is get info on a picture to see where it is stored. Not too hard to figure out.

    I think I’ll just change permissions with my FTP program whenever I want to upload a pic. A pain in the butt, but only a 1 minute pain in the butt at best, I guess. It would be nice if somebody wrote some sort of program which, when logging in to post remotely or via web interface, that it would do that automatically for that post and reset it after the post was posted.

    That’s just an idea I came up with now. But not a bad one I think? Although I’m not sure how exactly that would work.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Hacked WP Files, Trackbacks, and Questions’ is closed to new replies.